ckeditor is a A highly configurable WYSIWYG HTML editor.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. It was possible to execute XSS inside CKEditor after persuading the victim to switch CKEditor to source mode, then paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and switch back to WYSIWYG mode.
Proposed resolution
Update the wysiwyg module to 7.x-2.6 and ckeditor to CKEditor 4.14.0
wysiwyg 7.x-2.6
Release notes
NOTE! This release accidentally uses the new array syntax so is not compatible with PHP 5.3. Please follow #3068559: PHP Syntax error - 7.x-2.6 for news. The 7.x-2.x -dev snapshot has now reverted to the long syntax but there won't be a new release just for this.
Changes since 7.x-2.5:
Verified CKEditor 4.12.1, TinyMCE 4.9.5, and deprecated YUI.
526280 by TwoD, klausi: Fixed change detection when editors are disabled.
3051597 by TwoD: Fixed CSS of group "print" are applied to the Wysiwyg editor
3059810 by jedsaet: Fixed typo in ACF description and URL link.
1927000 by TwoD, mglaman: Added utility functions for fullscreen mode management.
2859553 by ben.kyriakou, TwoD: Enable image title as default with TinyMCE 4.x.
2884761 by cboyden, TwoD: Fixed stylesheet links with query parameters in TinyMCE.
2890066 by dsnopek: Fixed regression isNode() callback not working correctly for TinyMCE 3
Updated verified version ranges to include CKEditor 4.11.4 and TinyMCE 4.9.4.
2884691 by dsnopek: Fixed incorrect CSS when '#groups' array doesn't line up with child elements.
2840699 by TonyT, heilop: Fixed database upgrade errors.
2936164 by Akanksha92: Updating readme File as per Drupal standard
2884450 by TwoD: Fixed adding theme CSS without a background HTTP request.
Fixup for committing wrong patch for #526280.
526280 by TwoD: Extended JavaScript API to react on change events.
2679106 by Dave Reid, Wim Leers, naxoc, Liam Morland: CKEditor uses separate cache-busting query string from Drupal's
Fixed editor error indication in profile overview.
3021045 by TwoD: Updated TinyMCE supported version.
3021045 by TwoD: Updated supported editor versions and packaging variants.
2854947 by TwoD: Added hook_wysiwyg_load_includes_alter().
2903753 by ccjjmartin, TwoD: Fixed regression: TinyMCE fullscreen mode.
2968191 by jannis: Fixed undefined variable: css in _wysiwyg_pre_render_styles()
2840699 by heilop: Added removal of any existing primary key in update 7003.
Problem/Motivation
Cross-site Scripting (XSS)
Vulnerable module: ckeditor Introduced through: ckeditor@4.9.2
ckeditor is a A highly configurable WYSIWYG HTML editor.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. It was possible to execute XSS inside CKEditor after persuading the victim to switch CKEditor to source mode, then paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and switch back to WYSIWYG mode.
Proposed resolution
Update the wysiwyg module to 7.x-2.6 and ckeditor to CKEditor 4.14.0
wysiwyg 7.x-2.6
Release notes
NOTE! This release accidentally uses the new array syntax so is not compatible with PHP 5.3. Please follow #3068559: PHP Syntax error - 7.x-2.6 for news. The 7.x-2.x -dev snapshot has now reverted to the long syntax but there won't be a new release just for this.
Changes since 7.x-2.5:
Verified CKEditor 4.12.1, TinyMCE 4.9.5, and deprecated YUI.
526280 by TwoD, klausi: Fixed change detection when editors are disabled.
3051597 by TwoD: Fixed CSS of group "print" are applied to the Wysiwyg editor
3059810 by jedsaet: Fixed typo in ACF description and URL link.
1927000 by TwoD, mglaman: Added utility functions for fullscreen mode management.
2859553 by ben.kyriakou, TwoD: Enable image title as default with TinyMCE 4.x.
2884761 by cboyden, TwoD: Fixed stylesheet links with query parameters in TinyMCE.
2890066 by dsnopek: Fixed regression isNode() callback not working correctly for TinyMCE 3
Updated verified version ranges to include CKEditor 4.11.4 and TinyMCE 4.9.4.
2884691 by dsnopek: Fixed incorrect CSS when '#groups' array doesn't line up with child elements.
2840699 by TonyT, heilop: Fixed database upgrade errors.
2936164 by Akanksha92: Updating readme File as per Drupal standard
2884450 by TwoD: Fixed adding theme CSS without a background HTTP request.
Fixup for committing wrong patch for #526280.
526280 by TwoD: Extended JavaScript API to react on change events.
2679106 by Dave Reid, Wim Leers, naxoc, Liam Morland: CKEditor uses separate cache-busting query string from Drupal's
Fixed editor error indication in profile overview.
3021045 by TwoD: Updated TinyMCE supported version.
3021045 by TwoD: Updated supported editor versions and packaging variants.
2854947 by TwoD: Added hook_wysiwyg_load_includes_alter().
2903753 by ccjjmartin, TwoD: Fixed regression: TinyMCE fullscreen mode.
2968191 by jannis: Fixed undefined variable: css in _wysiwyg_pre_render_styles()
2840699 by heilop: Added removal of any existing primary key in update 7003.